Google Chrome contains a critical vulnerability, which, under certain conditions, allow attackers to introduce malicious software on computers equipped with Windows.
In view of being in Slovenia Acros Security, Google does not classify the error as “vulnerability”, but as a “strange behavior, the question of change in which [they] have to consider.”
Vulnerability, according to Michi Kolseka, CEO of Acros, based on the code on Windows and can be called differently: “DLL load hijacking”, “binary planting” or “file planting”.
The attack caught the eye of the public in August 2010, when HD Moore, creator of Metasploit and chief security of Rapid7, found a dozen vulnerabilities in applications in Windows. During Moore’s presentation was followed by others, including several from Kolseka from Acros.
Many Windows applications do not apply to a DLL using a full path, but instead use only the file name that gives hackers an opportunity to cheat the application and load a malicious file with the same name as the requested DLL. If attackers can trick users to visit malicious Web sites or remote shared folders, or to connect USB-device – they can crack the PC and it podsadit malware.
Misrosoft, for example, introduced the 17 updates over the past 13 months, created in order to fix the problem burglary related to the substitution of DLL, recently launched at the beginning of this month.
The new vulnerability, however, has an impact on Chrome – a browser that is built on a “sandbox”, which isolates it from the rest of the system.
“Sandbox Chrome does not protect the system against break-ins based on the substitution of DLL”, – says Acros in his extensive article devoted to this issue.
Is there a ray of hope? Hackers need to get the stars formed in the ideal line in order to exploit the vulnerability, according to Acros.
In order for this vulnerability could take, Chrome must be configured to use other search engines other than Google, which, not surprisingly, the default browser is configured to Google. In the Acros confirmed that the attack could be successfully launched from Chrome, if users use Yahoo or Bing as the preferred site for the search browser.
Users should not visit secure Web sites – those whose URL begins with HTTPS – adding Acros, and should be forced to fraudulently download the file from the pop-up dialog box “Open” in order to initiate an attack.
All this was too much for Google.
Reports on the Chromium bug tracker Google developer wrote, “We do not see it as a bug in the security system, [because] the preconditions for its use are too small.”
Later in the thread discussion, organized Kolsekom September 21, when he announced the discovery of Acros, the same developer added that “implausibly malaya opportunity to exploit this vulnerability, [means] that we regard it as strange behavior, the question of change in which [we ] must consider, not as a vulnerability. ”
Acros company does not fully agree with that.
“It’s hard to dispute,” – said the company on the prerequisites required to be executed by hackers, keeping in mind that, probably, they will focus their efforts on the exploits of having a higher probability of success. “[But], as researchers in the field of information security, we look at any opportunities that allow remote code hidden download and run it on your computer, without warning.”
Acros raise an interesting question. “What amount of social engineering is already bust?” – Asks the company, analyzing this deficiency.
These debates are not new: Microsoft is regularly engaged in lower severity vulnerabilities, when she decides that “user interaction” – forcing users through deception to make part of the attack – is included in the vulnerability.
Acros recommends that users configure Chrome is one of the safest sites, for example, Gmail, like the home page to negate the possibility of attack. Although Acros offered no other options, users can protect themselves leaving the search site Google your default browser.